On February 11, 2026, Apple shipped a round of security updates that fix CVE-2026-20700, a memory corruption flaw in dyld, the dynamic linker used across its operating systems. Apple acknowledges that the bug may have been exploited in an “extremely sophisticated” attack against specific individuals. That makes it a zero-day: someone was already abusing it before a patch existed.
What the vulnerability is
dyld (dynamic linker) is a critical piece of Apple’s platforms. It loads dynamic libraries into memory and links each application’s code with system frameworks when a program launches. Nearly every app that runs on an Apple device goes through dyld, so any flaw inside it is worth a lot to an attacker.
CVE-2026-20700 is a memory corruption bug. An attacker with write capability in memory could use it to achieve arbitrary code execution. This is not a mere stability problem: under the right conditions it lets attacker-controlled instructions run on the device itself.
Who is affected and severity
The flaw cuts across Apple’s whole lineup. It affects:
- iOS and iPadOS
- macOS (including the Tahoe branch)
- watchOS
- tvOS
- visionOS
The severity is critical for two reasons that stack together: arbitrary code execution and, above all, the active exploitation that Apple itself confirms. The company describes the attack as aimed at specific people using highly advanced techniques, the usual pattern of mercenary spyware and well-resourced actors. The vulnerability was reported by Google’s Threat Analysis Group (TAG), the team that tracks targeted exploitation campaigns. Its exploitation has also been tied to other zero-days that WebKit already patched in late 2025.
For the average user the risk of being a direct target is low, since these attacks are reserved for high-value victims. Still, once the fix ships and the nature of the bug is described, technical knowledge spreads fast, so it pays to update without waiting.
Mitigation and patch
The only mitigation that works is to install the updates Apple released on February 11, 2026. The patch ships in:
- iOS 26.3 and iPadOS 26.3
- macOS Tahoe 26.3
- watchOS 26.3
- tvOS 26.3
- visionOS 26.3
A few practical recommendations:
- Update from Settings → General → Software Update (iOS/iPadOS) or System Settings → General → Software Update (macOS).
- Turn on automatic updates to shrink your exposure window against future zero-days.
- If you manage devices in an organization, push the rollout through your MDM as soon as you can, especially for high-risk profiles (executives, journalists, activists).
This update was part of a broader February 2026 release in which Apple fixed dozens more vulnerabilities in the kernel, WebKit and other components. For more context on the affected system, see the macOS entry.
Source
- The Hacker News — Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Other Devices: https://thehackernews.com/2026/02/apple-fixes-exploited-zero-day.html
- CVE detail on NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20700